/administrator/manifests/files/joomla.xml

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
doushabu06
Joomla! Intern
Joomla! Intern
Posts: 95
Joined: Fri Feb 28, 2014 9:39 pm
Location: Switzerland

/administrator/manifests/files/joomla.xml

Post by doushabu06 » Fri Mar 04, 2016 10:12 am

This file in title was accessed in a website. Also have tried opening it and it opens and outtputs joomla information such as version, files/folders, update server etc. Is that file usually public or does that mean my site is compromised?

Also, if it's normal joomla behaviour, isn't that a security vulnerability since anyone can know general CMS info of a joomla site. If this is how Joomla functions, I would like to manually restrict access to that file as it's no good in every angle.

thanks in advance for any help.

User avatar
sudo-web
Joomla! Ace
Joomla! Ace
Posts: 1325
Joined: Fri Jan 22, 2016 7:10 pm
Location: Vienna - Austria
Contact:

Re: /administrator/manifests/files/joomla.xml

Post by sudo-web » Fri Mar 04, 2016 8:15 pm

A XML file is a in the view of your webserver just a file just like an image file. So if you know the exact location you can view it. This is nothing that can be handled by Joomla! itself, but you several options.

If you are the only one or only a few people need access to the administrator page you can add a htpassword to protect the whole administrator area.

Another and additional option is that you deny access to all xml files thru htaccess like so:

Code: Select all

<Files ~ "\.xml$">
Order allow,deny
Deny from all
Satisfy all
</Files>
Visit me on my Webdesign Webpage: https://www.posit.at

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15040
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: /administrator/manifests/files/joomla.xml

Post by mandville » Fri Mar 04, 2016 9:00 pm

there are numerous/multitude way of finding a joomla version than by just removngthe xml file (hints in the below code).
search for the phrase "security through obscurity". it is not a vulnerability
otherwise we wouldnt have put it there.
this code may help also

Code: Select all

## Back-end protection
## This also blocks fingerprinting attacks browsing for XML and INI files
RewriteRule ^administrator/?$ - [L]
RewriteRule ^administrator/index\.(php|html?)$ - [L]
RewriteRule ^administrator/index[23]\.php$ - [L]
RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
RewriteRule ^administrator/ - [F]
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

doushabu06
Joomla! Intern
Joomla! Intern
Posts: 95
Joined: Fri Feb 28, 2014 9:39 pm
Location: Switzerland

Re: /administrator/manifests/files/joomla.xml

Post by doushabu06 » Sun Mar 06, 2016 2:07 pm

thanks


Locked

Return to “Security in Joomla! 3.x”